From fdbb6fdfd77456ee6919bd87e8bd21c3762ef6ea Mon Sep 17 00:00:00 2001 From: IvanHunters Date: Wed, 29 Apr 2026 20:47:09 +0300 Subject: [PATCH] fix(harbor): mark credentials Secret with user-secret label The Helm-managed harbor-{name}-credentials Secret was not visible through the TenantSecrets API because the lineage webhook compared the real Secret name against the rendered template "{{ .name }}-credentials" (which becomes "{name}-credentials" without the "harbor-" HelmRelease prefix), failed to match, and labelled the Secret as internal.cozystack.io/tenantresource=false. Adopt the same pattern Bucket and RabbitMQ already use: stamp the user-facing Secret with apps.cozystack.io/user-secret=true and add a matchLabels rule alongside the existing resourceNames entry in the ApplicationDefinition. The webhook now matches via labels instead of relying on Secret-name templating, so the Secret is properly marked tenantresource=true and surfaces in tenant-aware clients. Signed-off-by: IvanHunters --- packages/apps/harbor/templates/harbor.yaml | 2 ++ packages/system/harbor-rd/cozyrds/harbor.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/packages/apps/harbor/templates/harbor.yaml b/packages/apps/harbor/templates/harbor.yaml index bf780967..434d121b 100644 --- a/packages/apps/harbor/templates/harbor.yaml +++ b/packages/apps/harbor/templates/harbor.yaml @@ -27,6 +27,8 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-credentials + labels: + apps.cozystack.io/user-secret: "true" stringData: admin-password: {{ $adminPassword | quote }} redis-password: {{ $redisPassword | quote }} diff --git a/packages/system/harbor-rd/cozyrds/harbor.yaml b/packages/system/harbor-rd/cozyrds/harbor.yaml index 5682c053..e957a49e 100644 --- a/packages/system/harbor-rd/cozyrds/harbor.yaml +++ b/packages/system/harbor-rd/cozyrds/harbor.yaml @@ -33,6 +33,8 @@ spec: include: - resourceNames: - "{{ .name }}-credentials" + - matchLabels: + apps.cozystack.io/user-secret: "true" services: exclude: [] include: